SMUG logo thumbnail
Stanford/Palo Alto Macintosh User Group Newsletter
February 26, 2010
In This Issue
March 8 Meeting Agenda
February Meeting Report
Quick Links
SMUG website SMUG Archive
SLAC Info
Membership Info
Contacts
Dear Steve,
MacWorld 2010I hope everyone was able to visit and enjoy MacWorld this year - despite the absence of Apple and other big names, there was still an enthusiastic crowd looking to sample Mac-based products. My personal highligh=ts were LeVar Burton channeling Steve Jobs/Jimmy Stewart at David Pogue's opening show (you had to be there!), Kevin Smith's two-hour tour-de-force and the many cool iPhone apps (inexplicably crowded into a tiny area of the floor). Personal spending high - our old SMUG presenter friends' FastMac booth (you need backup batteries!)

Anyway, I trust we'll have time to discuss these and much more at our next meeting, which owing to ongoing conferences at SLAC will be on March 8 - that's right, March 8, in the Redwood Room.
David Pogue & LeVar BurtonKevin Smith
March SMUG Meeting Agenda
Bill AtkinsonBill Atkinson, Apple Computer software legend and world renowned nature photographer, is back with an innovative product that redefines the way people create and send postcards.

With Bill Atkinson PhotoCard you can easily make dazzling, high resolution postcards on your iPhone or iPod touch, and send them on-the-spot, either through e-mail, or through the US Postal Service. The application is amazingly easy to use. To create a PhotoCard, select one of Bill Atkinson's exquisite nature photographs or use one of your own personal photos. Then, flip the PhotoCard over to type your custom message on the back. For a fun touch, jazz up your PhotoCard with your choice of decorative stickers and stamps. If you're e-mailing your message, it can even include an audible greeting in a voice note.

You can get more details on Bill's website.

Samople Photocards


Software Giveaway!

PixelmatorAt the last meeting, we ran out of time to demonstrate a Mac-based app called Pixelmator aimed squarely at Adobe Photoshop but at a fraction of the price of that bloated program. And once again, we have a download to give away to a lucky raffle winner.


Plus Q & A and the latest shareware offerings from Owen Saxton
February Meeting Report: Computer & Internet Security with Lynda Gousha
Following Dave Aston's timely presentation on privacy issues with Java & Adobe's ubiquitous Flash software, Lynda Gousha gave an overview of security issues that even perhaps-too-smug Mac users might consider. Lynda Gousha is from the Silicon Valley Macintosh User Group. She has expertise in internet security & does research of security threats.

Lynda's talk was about security for Macintosh users. What do you need to know to stay safe? She did not get into the technical aspects of the topic, though she was open to contributions from SMUG people.

Lynda played a bank theft video, an interview on 60 Minutes with Shawn Henry, FBI Cyber Division, in November 2009. You can watch this on the Internet.
Thieves made copies of bankcards in 49 cities throughout the world, and they stole about $100 million in 24 hours using stolen pin numbers and account information. The bad guys added a device to ATMs that collect your data form your bankcard: if you see something weird at ATM, trust your gut!
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565_page3.shtml
http://www.cbsnews.com/video/watch/?id=5578986n&tag=related;photovideo

Voices.washingtonpost.com/securityfix/victfin.htm
The above website lists businesses that have been robbed, the date of theft, the amount stolen, and amount recovered. Bullitt County, KY is an especially famous case.

Most banks require notice within 24 hours for businesses, if your money is stolen; consumers are usually allowed 30 days, but check with your bank so you know specific policies.

 Some businesses are suing saying bank should have caught fraudulent withdrawal of their funds.

Victims: Banks of Germany August 2009
Changes were made to web site as seen by victims so that the victims did not see the removal of funds from their accounts.
Stole Euro 193,606 (via Trojan on the PC) from Aug 11-26, 2009.

Money Mules are people who transfer money stolen in one country to another country. You might see an advertisement for a job where you set your own hours, be your own boss, and so on. You sign up, and your job is to withdraw from an account and wire transfer the money offshore. People are usually not aware this is is an illegal operation.


Conficker is a computer worm that surfaced in November 2008. Over 7 million PCs are infected. This worm has done nothing yet, it just spreads. Some PCs have autorun, which has been vector of the conflicker infections. : Autorun has since been patched, but many PCs have not been patched, and many were infected before being patched. Conficker has shown up in hospital computers.

Adobe has vulnerabilities, such as in Flash, Acrobat Reader, and more. These vulnerabilities have been patched; it is important that you run your Adobe software updates!

There are anti-virus scams to beware of. Anti-malware pop-up windows appear, on a Mac or PC. This is called scareware. It says your PC is infected, and we have just the fix! Just give us your credit card number! Some of these exploits prevent running the applications on the PC until and unless you pay.

Let's discuss Macintosh OS X.
Vulnerabilities vs. Exploits
There are few exploits in the Mac OS, unlike Windows. But there are vulnerabilities. Microsoft Office, Adobe Reader, Flash, Shockwave are among the most vulnerable kinds of software.

Phishing emails are emails that claim to be from someone that you trust UPS, FedEx, for example, but are fraudulent.   They ask you to give them your information.

Attack websites, all you need to do is go to website, and it downloads malware onto your machine. So far, the malware that is downloaded only runs on Windows, but Mac users should stay diligent. If you see something downloading without your permission and/or request, shut down your browser, or, if needed, even restart your computer!

If you are using Safari, you can go to Preferences, Security, and set for more security. Now, remember that houses have bigger locks in Chicago that in Sunnyvale, CA. We are running Mac OS X, so we are less vulnerable since crooks go for easier marks. But it is still smart to adjust security preferences to not download stuff automatically.

There are web exploits. You can get a warning in Google searches that a website may harm your computer. Google, Firefox, Bing has such warnings about these sites, you can decide if you want to risk going to those websites.

FREE SOFTWARE
Watch out for ads to get software for free, because along with it can be a Trojan! If someone offers free Mac OX 10.6, or any software for your Mac that usually costs money, it is likely malware.

In web searches, bad guys set up for big news to try to make their website be the first one that comes up in Google. Like with Haiti donations, Michael Jackson dying, etc. Double-check the URL before you go there!  This is called poisoning search engine optimization

IPHONE

Very little nasty stuff on the iPhone, so far. But jailbroken iPhones in Australia have been "Rick Rolled" in that they were infected with a worm that pointed to a pop star named Rick Astley, but that did not seem to do any real harm. Then, jailbroken iPhones were exploited in the Netherlands. In that case the 'bad guys' did get into some peoples' bank accounts. This was an SSH exploit using the default password. If you jailbreak (or don't jailbreak) your iPhone, change the SSH password, and/or disable SSH!

There is phishing and spear phishing. With phishing, you get an email claiming to be from your bank or from the IRS, or some other 'trusted' source. It requests you to click on a link, usually asks for your account information, and your password. The phishing email claiming to be from the IRS says you are due a refund, or you are being audited. Remember the IRS will NEVER contact you about matters like this from an email.

With spear phishing, the email is sent to a targeted person, such as a business executive. One case of spear phishing was pointed against a guy at a particular company, and told him to fill out a form for the Better Business Bureau or be sued. This email looks real! Remember to always contact companies or organizations by phone - using a phone number you look up.

Then there is the usual Nigerian Scam, these days being modified to appear to be from your friend! Call and see if your friend is really in Nigeria.... it's not very likely.

You might get "See this link!" from your Facebook friend! Check to see if that message really is really from your Facebook friend.

Lynda showed an email: Notification from Discover Bank Account, Dear American Express Member. Um, when the email says it is from Discover card, and it says dear American Express member, THIS IS A FAKE! This email showed a warning across the top saying this is likely not where it claims to be from.  The warning came from google, as this was sent to a gmail account. Often, scam emails will contain obvious errors like this, but some are very well done, and look professional.

NEVER click on an email claiming to be from your bank, since very few banks work that way. If you think the email might be legitimate, pick up the phone and call. 

NETWORK SECURITY

As for your home network security, check to see that you do not use WEP for your WiFi security, WEP is very easy to crack.  Use WPA or WPA2, and a good password. If you don't know what WEP or WPA is, contact someone who does, and get them to change your network settings. In some cases, you may need to update equipment - some older routers are only capable of WEP; but routers these days can be inexpensive, and the safety is worth the money.

 Change the name of your network, rather than leaving it at the default name (i.e. NOT lynksys, or Netgear).  If you do not take these precautions, it is easier for someone to crack into your WiFi, network and use it for their purposes - which could be criminal, or not.  But it's best not to take the chance.


Now for a few passwords do's and don'ts. Do NOT use dictionary words. Try using Mac OS X Password Generator. Long passwords are good! Lots of people use short ones: computers take longer to crack long passwords. TWITTER has banned passwords (you are not allowed to use them): 11111, 1234567, aaaaaa, access, computer, and so on. Passwords like password or password1 are TOO EASY TO CRACK!

1password is an application that generates passwords for you. (Note from Dave: Lynda told me that everyone who uses it loves it.) PasswordWallet stores all your passwords. Freeware: Lastpass, and for Windows, Roboform.

Use a different password for each website, or for a bare minimum, use more complex passwords for your banking and other most important sites.

Facebook is a BIG target now.

WHAT DO YOU DO?
Keep your Mac up to date: do your security updates. With Microsoft and Adobe software: run their software updates, or use alternate software such as Preview, iWork, on the Mac. With emails and tweets claiming to be from a bank or the IRS: check that, do not click and fill it out!

Do you want to see where a short URL is really from? Expand those URLS by going to longurl.org/expand.

Do not use Windows for online banking. Linux is a good alternative, as is Mac OS X.

Force quit your browser if something unwanted is downloading. Delete all spam email, preferably without opening it.

Check your bank, credit, and debit card statements.
For businesses, find out your bank's policies.

GOOD SOURCES
The podcast named Security Now. Also Brain Krebs, www.krebsonsecurity.com. Brian is a former reporter from the Washington Post.
SANS - computer security email newsletter. www.sans.org/newsletters/

Security reality check is Lynda's website. www.securityrealitycheck.com

As for your Macintosh password, you can go to the Keychain Access application (other places it shows up). The password shows a key, and asks what type of password you want: Manual, memorable, others. It tells you about password: might say this word is in the dictionary, will show a quality bar for that password (colors red, yellow, etc.).

Yes, it is good to change your passwords; one recent podcast suggested changing bank passwords when we change from and to, Daylight Savings Time.

If you are DEEP SIXED, you should have your passwords written down where friends/relatives can find them.

The 1password application integrates with all known browsers. It goes beyond keychain. There is also an iPhone app for 1password. Everyone Lynda has talked to likes it. (Note from Dave: Hmm, I think I said that!)

Data Guardian is an application to encrypt your data.

You can use a non-administrative user account, especially with a Windows machine.

People visiting adult websites sites can get infected. (Note from Dave: Well, their computers can. Naughty naughty, be careful with that stuff!) The website might say, see our naughty pictures or videos, but you need to download a certain codec to see them! Don't do that if you want your computer to stay healthy.
 
//Dave Strom, VP/Director

See you all on Monday March 8th (remember - that's a week late than usual!)
 
Sincerely,
 
Steve Bellamy
SMUG President
 
Safe Unsubscribe
This email was sent to steve@leonead.com by steve@leonead.com.
Leone Advertising | 2024 Santa Cruz Ave | Menlo Park | CA | 94025